Jump to content


Photo

programs automatically shutting off after I start them...


  • Please log in to reply
48 replies to this topic

#1 taves

taves

    Member

  • Members
  • PipPip
  • 27 posts

Posted 04 January 2007 - 08:42 PM

I have recently experienced a problem where I will open a program up and it will immediately shut down. One program is HijackThis.exe and another where I have experienced this is regedit.exe. Both show up on the monitor briefly before closing down again. I don't know why this is. Any help on this topic would be greatly appreciated.

Thanks

#2 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 04 January 2007 - 10:08 PM

Hi

I removed your other post as it is a duplicate. This could be because some malware is on your system. Some malware target programs that can be used to remove them.

Two things to try

1) Copy your regedit.exe to regedit.com. I.e. so you have both a .com and .exe version.

Then (assuming you are on Windows XP) click start select run and enter

regedit.com

click OK, does regedit now start?

2) Make sure your copy of HijackThis is installed to a folder and not the desktop. Then rename HijackThis.exe to a different name, e.g. myhjt.exe. Then click on the renamed file to lauch it, does HijackThis start OK now?

#3 taves

taves

    Member

  • Members
  • PipPip
  • 27 posts

Posted 05 January 2007 - 10:31 PM

Hi

I removed your other post as it is a duplicate. This could be because some malware is on your system. Some malware target programs that can be used to remove them.

Two things to try

1) Copy your regedit.exe to regedit.com. I.e. so you have both a .com and .exe version.

Then (assuming you are on Windows XP) click start select run and enter

regedit.com

click OK, does regedit now start?

2) Make sure your copy of HijackThis is installed to a folder and not the desktop. Then rename HijackThis.exe to a different name, e.g. myhjt.exe. Then click on the renamed file to lauch it, does HijackThis start OK now?




Thanks for your ideas. Unfortunately, I tried both of those things and neither worked. The programs both still shutdown after a couple seconds, if that long. I have also noticed a couple other problems: Each time I restart my computer, system restore is turned off and my windows firewall is disabled. Also, I use firefox as my browser and it shut down when I tried searching for "hijackthis" in google.

#4 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 05 January 2007 - 11:02 PM

Hi.

Can you try these two tools please:


1) Try the free beta trial of a tool from F-Secure called Blacklight

F-Secure Blacklight:
https://europe.f-sec...light/try.shtml

read the info and click the *I accept* button near the bottom of that page.

download Blacklight Beta (graphical user interface version).

Doubleclick on blbeta.exe to run it, click > scan then > next, next again then exit.

There will be a new text file near blacklite. Post this please. The text file is named: fsbl.xxxxxxx.log (the xxxxxxx stand for numbers). Do not take any action based on the scan, please just post the file.

2) Please download Rootkit Revealer
http://www.microsoft...itRevealer.mspx

(link is at the very bottom of the page)

Unzip it to a folder. Open the rootkitrevealer folder and double-click rootkitrevealer.exe. Click the Scan button (bottom right). It may take a while to scan (don't do anything else while it's running - leave the PC idle during the scan).

When it's done, go up to File > Save. Choose to save it to the folder you installed rootkitrevealer. Then open rootkitrevealer.txt you just saved and copy the entire contents and paste them here.

Do not take any action on the output as the items may be perfectly normal.

Many thanks

#5 taves

taves

    Member

  • Members
  • PipPip
  • 27 posts

Posted 07 January 2007 - 12:46 AM

Hi


This is my F-Secure BlackLight log file,

01/06/07 13:09:23 [Info]: BlackLight Engine 1.0.55 initialized
01/06/07 13:09:23 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/06/07 13:09:24 [Note]: 7019 4
01/06/07 13:09:24 [Note]: 7005 0
01/06/07 13:09:41 [Note]: 7006 0
01/06/07 13:09:41 [Note]: 7011 1940
01/06/07 13:09:41 [Note]: 7026 0
01/06/07 13:09:41 [Note]: 7026 0
01/06/07 13:09:56 [Note]: FSRAW library version 1.7.1021
01/06/07 13:20:25 [Note]: 7007 0

Here is the RootkitRevealer log file,


<< edit >> removed to protect email address << end edit >>

Hope this helps...

Thanks a lot

#6 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 07 January 2007 - 10:05 PM

Hi

The rootkitrevealer log looks OK, I removed it as it had an address in it.

Next please run a scan with Ad-Aware SE but first please download and install the Lavasoft Virtumonde and Look2me remover tools from

http://www.lavasoft....nde_remover.php

and

http://www.lavasoft....emoval_tool.php

Follow the instructions at the above web pages to first run the Virtumonde remover and then the Look2me remover. If either tool finds anything then follow the instructions at the above web pages. If these tools find anything then reboot the PC and run a fresh scan with Ad-Aware.

Post back if these tools find anything. Also could you indicate if it is all programs that are causing problems opening or is just specifically regedit and Hijackthis?

Many thanks

#7 taves

taves

    Member

  • Members
  • PipPip
  • 27 posts

Posted 08 January 2007 - 02:25 AM

Hi there,

Alright, I tried the different programs you asked and they didn't come up with any problems. I also ran an Ad-aware scan and it didn't come up with anything either. The only two programs that I have noticed shutting down are regedit.exe and HijackThis.exe. I haven't come across any other programs so far that close automatically after opening. The only other thing that did anything similar was firefox when I tried searching for "hijackthis" on google. Also, when I right clicked on HijackThis.exe and hit "properties" windows explorer shut down. If I right click on regedit.exe nothing out of the ordinary happens though.


Thanks for your help.

#8 taves

taves

    Member

  • Members
  • PipPip
  • 27 posts

Posted 08 January 2007 - 08:37 PM

Hi

Alright, a few more things have come to my attention. Firstly, when I start my computer webroot spysweeper says that a file called c:\windows\system32\DTOMSGOFKX\winlogon.exe is trying to change a host file, that pop-up comes up twice...although it doesn't happen everytime I start up my computer, only sometimes. Also, another pop-up says that, regsvr32.exe is trying to be installed and another says that bar888.dll is trying to be installed. It asks if I want to block these 3 files or not. Then it says I should do a sweep and remove all traces of regsvr32.exe and bar888.dll. These last couple pop-ups do occur each time I start my computer though. Hopefully this helps.

Thanks

#9 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 08 January 2007 - 09:17 PM

Hi

Certainly sounds like some malware is causing the issue. Could you try these two items and see if they find anything please.

1) Start Control Panel, select "Add or Remove Programs". Then scroll down the list of installed programs and look for any of the following


Cowabanga by OIN
PuritySCAN By OIN,
Snowballwars by OIN,
OuterInfo or similar
TizzleTalk by OIN
Yazzle
(Anything) by OIN


If any of the above are present please remove them

2) Download Combofix.zip (by sUBs)
http://download.blee...Bs/combofix.exe
Unzip it to its own folder.
Read here how to unzip/extract properly.
http://metallica.gee...xplanation.html

Open the Combofix folder and doubleclick combo.exe
If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Please post the contents of the combofix.txt file and if any of the above items were found in add and remove programs.

Many thanks

#10 taves

taves

    Member

  • Members
  • PipPip
  • 27 posts

Posted 09 January 2007 - 03:36 AM

Hi,


Here is the combofix log file:


Krister Toews - 07-01-08 20:34:04.50 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Downloads"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\taskkill.com
C:\Program Files\Common Files\{30304389-0C80-1033-1126-041104040002}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Krister Toews\Application Data\SMBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-08 to 2007-01-08 ))))))))))))))))))))))))))))))))))


2007-01-08 20:31 <DIR> d--hs---- C:\Config.Msi
2007-01-08 20:24 123,503 --a------ C:\tysb.exe
2007-01-07 21:06 92,485 --a------ C:\tc.exe
2007-01-06 13:28 <DIR> d-------- C:\Program Files\BlackLight
2007-01-06 13:27 <DIR> d-------- C:\Program Files\RootkitRevealer
2007-01-04 00:35 <DIR> d-------- C:\Program Files\ATF Cleaner
2007-01-04 00:34 <DIR> d-------- C:\Program Files\HJT
2007-01-04 00:15 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-01-03 15:12 15,360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-01-03 15:12 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-01-03 15:12 13,824 --a------ C:\WINDOWS\system32\drivers\SSFS041A.sys
2007-01-03 15:12 117,248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-01-03 15:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-01-03 13:23 <DIR> d--hs---- C:\WINDOWS\system32\dtomsgofkx
2007-01-02 02:13 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-02 02:10 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-27 18:06 93,509 --a------ C:\WINDOWS\system32\pe.exe
2006-12-26 23:22 2 --a------ C:\WINDOWS\system32\wcpsvsu.exe
2006-12-26 19:32 93,509 --a------ C:\WINDOWS\system32\etc.exe
2006-12-16 11:14 <DIR> dr-h----- C:\Documents and Settings\Krister Toews\Recent
2006-12-12 10:30 520,192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-12-12 10:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-12 10:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-12 10:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-12 10:25 806,912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-12-12 10:25 806,912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-12-12 10:25 790,528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-12-12 10:25 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-12 10:25 635,486 --a------ C:\WINDOWS\system32\DivX.dll
2006-12-12 10:25 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-12-12 10:25 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-12-12 10:25 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-12-12 10:25 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-12-12 10:25 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-12-12 10:25 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-12-12 10:25 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-12 10:24 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-12-12 10:24 118,784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-08 20:35 -------- d-------- C:\Program Files\Common Files
2007-01-08 20:32 -------- d-------- C:\Program Files\Yahoo!
2007-01-08 20:32 -------- d-------- C:\Program Files\Windows Live Toolbar
2007-01-08 20:32 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2007-01-08 20:24 -------- d-------- C:\Program Files\Mozilla Firefox
2007-01-06 18:12 -------- d-------- C:\Documents and Settings\Krister Toews\Application Data\Adobe
2007-01-04 14:46 -------- d-------- C:\Program Files\Common Files\Adobe
2007-01-03 13:35 -------- d-------- C:\Documents and Settings\Krister Toews\Application Data\AVG7
2007-01-03 13:23 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-01-02 03:04 -------- d-------- C:\Documents and Settings\Krister Toews\Application Data\CyberLink
2007-01-02 03:02 -------- d--h----- C:\Program Files\InstallShield Installation Information
2007-01-02 03:02 -------- d-------- C:\Program Files\CyberLink
2007-01-02 02:46 -------- d-------- C:\Program Files\Lavasoft
2007-01-02 02:36 -------- d-------- C:\Program Files\Windows Media Player
2006-12-23 20:23 -------- d-------- C:\Program Files\TextPad 4
2006-12-21 19:11 -------- d-------- C:\Program Files\Java
2006-12-21 15:37 -------- d-------- C:\Documents and Settings\Krister Toews\Application Data\BitTorrent
2006-12-18 11:45 -------- d-------- C:\Program Files\Google
2006-12-18 11:12 -------- d-------- C:\Program Files\DivX
2006-12-17 01:18 -------- d-------- C:\Program Files\Outlook Express
2006-12-17 01:18 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 01:58 -------- d-------- C:\Program Files\BitTorrent
2006-12-01 00:37 -------- d-------- C:\Program Files\MSN Messenger
2006-11-27 13:22 -------- d-------- C:\Documents and Settings\Krister Toews\Application Data\AdobeUM
2006-11-25 11:19 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-25 11:19 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-25 11:19 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-25 11:19 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-25 11:19 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-25 11:19 18240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-10 12:38 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-11-09 19:43 -------- d-------- C:\Program Files\FF
2006-11-09 19:42 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-11-09 19:42 249856 --------- C:\WINDOWS\Setup1.exe
2006-11-09 17:18 -------- d-------- C:\Program Files\JiWire Hotspot Locator
2006-11-08 17:46 -------- d---s---- C:\Documents and Settings\Krister Toews\Application Data\Microsoft
2006-11-08 17:25 -------- d-------- C:\Program Files\Internet Explorer
2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 11:16 25070 --a------ C:\Documents and Settings\Krister Toews\Application Data\wklnhst.dat
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-30 15:54 81920 --a------ C:\WINDOWS\ALCFDRTM.EXE
2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-19 07:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47 937984 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2006-10-18 21:47 8231936 --a------ C:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47 767488 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 21:47 757248 --a------ C:\WINDOWS\system32\wmadmod.dll
2006-10-18 21:47 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-10-18 21:47 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 21:47 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47 613376 --------- C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 21:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47 535040 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 429056 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 21:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47 356352 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47 348672 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47 317440 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 21:47 314880 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47 295936 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 21:47 276992 --a------ C:\WINDOWS\system32\audiodev.dll
2006-10-18 21:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47 2603008 --------- C:\WINDOWS\system32\WpdShext.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 21:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47 242688 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47 222208 --a------ C:\WINDOWS\system32\wmasf.dll
2006-10-18 21:47 212992 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-10-18 21:47 211456 --a------ C:\WINDOWS\system32\qasf.dll
2006-10-18 21:47 204288 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47 199168 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 21:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 21:47 1661440 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47 1574912 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 21:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47 1543680 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 21:47 1382912 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 21:47 133632 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 21:47 1329152 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 21:47 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 21:47 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-10-18 21:47 1117696 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-10-18 21:47 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 20:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 20:00 249856 --------- C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-14 13:00 3082 --a------ C:\WINDOWS\system32\affv11300p4now.sys
2006-10-13 18:27 60920 --a------ C:\Documents and Settings\Krister Toews\Application Data\GDIPFONTCACHEV1.DAT
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 10:35 58880 --a------ C:\WINDOWS\system32\pnrpnsp.dll
2006-10-11 10:35 553984 --a------ C:\WINDOWS\system32\p2psvc.dll
2006-10-11 10:35 313344 --a------ C:\WINDOWS\system32\p2pgraph.dll
2006-10-11 10:35 153088 --a------ C:\WINDOWS\system32\p2p.dll
2006-10-11 10:35 115712 --a------ C:\WINDOWS\system32\p2pnetsh.dll
2006-10-11 10:35 104960 --a------ C:\WINDOWS\system32\p2pgasvc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"=""
"winlogon"=""
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Ptipbmf"="\"rundll32.exe\" ptipbmf.dll,SetWriteCacheMode"
"SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\""
"SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\""
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvMediaCenter"="\"RunDLL32.exe\" NvMCTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"nmapp"="\"C:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe\" -autorun -nosplash"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="\"C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe\" /SYNC"
"PHIME2002ASync"="\"C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE\" /SYNC"
"PHIME2002A"="\"C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE\" /IMEName"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"Ad-watch"="\"C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-watch.exe\""
"Ad-aware"="\"C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-aware.exe\" +c"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"winlogon"=""
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"SCDEmuApp.exe"="\"C:\\Program Files\\PowerISO\\SCDEmuApp.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,84,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"="1"
"DisableRegistryTools"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-08 20:35:59.00
C:\ComboFix.txt ... 07-01-08 20:35


I used add/remove programs and I found the bar888.dll file and removed it. That's all I saw. I have removed it via add/remove before but it keeps reappearing. Also, I found that file on my HD but it wouldn't let me delete it. A while back I removed an outerinfo file using the add/remove program. That's everything for now I think, hope this helps.


Thanks!

#11 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 09 January 2007 - 05:58 PM

Hi

Good work, that gives a clue as to what is running on your system.

First please download Brute Force Uninstaller.
Unzip it to itís own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Save any documents and close all running applications. Then open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Check the box "Show log after script ends", then press execute and let it do it's job. (Please note that this will close your browser session)

Wait for the complete script execution box to pop up and press OK.

click "save"

In "filename" enter log.txt

click exit to close the BFU program.

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder


Next try to run regedit again. If it works skip the next step, if regedit still fails please run the following.

First start notepad and then cut and paste the exact text as in the quote box below:

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"=-
"DisableRegistryTools"=-



In Notepad then save this file as c:\myregfix.reg, open My Computer and then double click on the C: drive icon, then right mouse click on the file you just saved "myregfix.reg" and select merge. When prompted click yes to accept the merge.

Now try running regedit and see if it works ok now.

Next try running the renamed HijackThis file you installed earlier, if HijackThis now runs please post the log file after running a scan.

Next please upload the following files so that they can be analysised by Lavasoft. This will help advise on the next steps to take.

Please zip the contents of this folder and submit the zip

C:\QooBox

If there are any files in this folder please also zip them up and submit the zip:

C:\WINDOWS\system32\dtomsgofkx

Submit the following individual files:

C:\WINDOWS\system32\pe.exe
C:\WINDOWS\system32\wcpsvsu.exe
C:\WINDOWS\system32\etc.exe



Then Please go here to upload the suspicious files for analysis.
http://www.uploadmalware.com/

* Enter your username from this forum as: taves
* Copy and paste the link to this thread: http://www.lavasofts...?showtopic=5868

o Click "Browse" on the 1. field.
Browse to the following files and click the file with your mouse, press "Open"
If any files found the zip file of C:\WINDOWS\system32\dtomsgofkx

C:\WINDOWS\system32\pe.exe

C:\WINDOWS\system32\wcpsvsu.exe

C:\WINDOWS\system32\etc.exe

And the zip of this folder C:\QooBox

* In the comments, please mention that I asked you to upload this file
* Click on Send File


Analysis of these files will help advise you of the next steps to take.

Many thanks

#12 taves

taves

    Member

  • Members
  • PipPip
  • 27 posts

Posted 09 January 2007 - 08:16 PM

Hi,

I completed everything you said to do and this is what happened:

here is the BFU log file,

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 12:08:38 PM, on 09/01/2007

Script completed.

That's all that is contained in the log.txt file.

I tried to merge the myregfix.reg file but it said, "C:\myregfix.reg is not a valid win32 application".
After that neither my renamed HijackThis file or my regedit work still.

I uploaded all the zips/files you asked for except C:\WINDOWS\system32\dtomsgofkx.zip, I went there and couldn't find a folder named "dtomsgofkx".

One thing that has changed is that I can now access the 'properties' of the Hijackthis program which I couldn't do before. What I mean is when I right click on the program file, and click properties, explorer doesn't shut down like it did before...the program itself still doesn't run for more than approximately 3 sec though.

Another thing I noticed now is that when I select hidden folders/files to be shown in "my computer" it automatically reverts back to the old setting of not displaying them.

I think that is everything...hope it helps.

Thanks!

#13 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 09 January 2007 - 08:18 PM

Ad Astra,

Got these 3 files from the OP. They can all be deleted as they are infected.

C:\WINDOWS\system32\pe.exe <-- Toolbar888 malware installer

C:\WINDOWS\system32\wcpsvsu.exe <---Clickspring/PurityScan remnant file (was only 2 bytes)

C:\WINDOWS\system32\etc.exe <---Toolbar888 malware installer

And this folder:
C:\QooBox <---Purityscan files removed by ComboFix that can be deleted. SMBOLS~1 Folder was empty so already cleaned out

That's all that was received so far. (No signs of any files from: C:\WINDOWS\system32\dtomsgofkx - so maybe it was empty)
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#14 taves

taves

    Member

  • Members
  • PipPip
  • 27 posts

Posted 09 January 2007 - 08:22 PM

Hi,


Not sure what happened with my earlier try of BFU, but I tried it again because that didn't seem right and here it is:

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 1:24:33 PM, on 09/01/2007

Option Unload Explorer: Yes
Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Deskbar\deskbar.dll|1 (file not found)
Failed: DllUnregister \asappsrv.dll|1 (file not found)
Failed: DllUnregister \MyToolBar.dll|1 (file not found)
Failed: DllUnregister \888Bar.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\update.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\services.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\activate.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\MyToolBar.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\update.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\services.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\activate.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\MyToolBar.dll (operation failed)
Failed: FolderDelete C:\Program Files\toolbar888 (folder not found)
Failed: FolderDelete C:\Program Files\e-mailpaysu toolbar (folder not found)
Failed: FolderDelete C:\Program Files\EMUSIC TOOLBAR (folder not found)
Failed: FolderDelete C:\Program Files\find dvd toolbar (folder not found)
Failed: FolderDelete C:\Program Files\GULESIDER VERKTÝYLINJE (folder not found)
Failed: FolderDelete C:\Program Files\sesam-p4 toolbar (folder not found)
Failed: FolderDelete C:\Program Files\slownik ling (folder not found)
Failed: FolderDelete C:\Program Files\MediaPipe (folder not found)
Failed: FolderDelete C:\Program Files\p2pnetworks (folder not found)
Failed: FileDelete C:\DOCUME~1\KRISTE~1\LOCALS~1\Temp\~DF65B0.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\PSCastor (folder not found)
Failed: FolderDelete C:\Program Files\CMIntex (folder not found)
Failed: FolderDelete C:\Program Files\PadsysAssistant (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\simtest (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20000 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (folder not found)
Failed: FolderDelete C:\Program Files\Ipwindows (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\Snowball Wars (folder not found)
Failed: FolderDelete C:\Program Files\folder.js (folder not found)
Failed: FolderDelete C:\Program Files\ini.ini (folder not found)
Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
Failed: FolderDelete C:\WINDOWS\system32\crunner (folder not found)
Failed: FolderDelete C:\Program Files\PECarlin (folder not found)
Failed: FolderDelete C:\Program Files\AXVenore (folder not found)
Failed: FolderDelete C:\Program Files\SDVita (folder not found)
Failed: FolderDelete C:\Program Files\EQBranch (folder not found)
Failed: FolderDelete C:\Program Files\EQArticle (folder not found)
Failed: FolderDelete C:\Program Files\PSHope (folder not found)
Failed: FolderDelete C:\Program Files\Batty (folder not found)
Failed: FolderDelete C:\Program Files\Batty2 (folder not found)
Failed: FolderDelete C:\Program Files\AXFibula (folder not found)
Failed: FolderDelete C:\Program Files\CMFibula (folder not found)
Failed: FolderDelete C:\Program Files\PSLister (folder not found)
Failed: FolderDelete C:\Program Files\PSCloner (folder not found)
Failed: FolderDelete C:\Program Files\PSDream (folder not found)
Failed: FolderDelete C:\Program Files\cmapp (folder not found)
Failed: FolderDelete C:\Program Files\cmman (folder not found)
Failed: FolderDelete C:\Program Files\cmsystem (folder not found)
Failed: FolderDelete C:\Program Files\fcengine (folder not found)
Failed: FolderDelete C:\Program Files\wincmapp (folder not found)
Failed: FolderDelete C:\Program Files\Deskbar\Cache (folder not found)
Failed: FolderDelete C:\Program Files\popupwithcast (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\cloader (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.



Thanks

#15 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 09 January 2007 - 08:48 PM

Hi

Could you try this to see if we can get regedit working. (Edit changed to use a command file)

Start notepad and enter these two lines of text

reg delete HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system /v NoAdminPage

reg delete HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system /v DisableRegistryTools


Make sure the file has only two lines of text then in notepad save the file as c:\myregfix.cmd (if you have Windows XP, else save as myregfix.bat).

Double click on the file you have just created to run the commands. It will open a command window, and prompt you twice to confirm deletion, check the text matches the above and if correct enter a y and press return to confirm.

Can you start regedit ok now?

Many thanks

#16 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 09 January 2007 - 09:54 PM

Hi

In addition to the above please boot into safemode (see this web page for advice on how to do this: http://www.microsoft..._failsafe.mspx)

Then try to delete these three files

C:\WINDOWS\system32\pe.exe
C:\WINDOWS\system32\wcpsvsu.exe
C:\WINDOWS\system32\etc.exe

And then delete this folder and its contents:
C:\QooBox

Reboot again back into normal Windows and see if you can run HijackTHis now. If not please try downloading SilentRunners from:

http://www.silentrun...ent Runners.zip

Unzip the file and double click to run the program. This is a visual basic script so some firewalls etc may alert you that a script is trying to run, select the option to let this script run. Then prompted "Do you want to skip supplementary searches?" select NO. When the scan finsihes there will be a txt file beginning startup programs.. in the folder you saved silent runners.

Please post the contents of this file.

Many thanks

#17 taves

taves

    Member

  • Members
  • PipPip
  • 27 posts

Posted 10 January 2007 - 06:10 AM

Hi,

Alright, I did the myregfix.cmd file and it said that the deletion worked but regedit still doesn't run for longer than a couple seconds. I also deleted those files and the folder. The deletions all worked but HijackThis hasn't changed at all.

I downloaded the Silent Runners program and here is the log file:

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Steam" = "(empty string)" [file not found]
"winlogon" = "*y" (unwritable string) [file not found]
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\mnyexpr.exe"" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Ptipbmf" = ""rundll32.exe" ptipbmf.dll,SetWriteCacheMode" [MS]
"SynTPLpr" = ""C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"" ["Synaptics, Inc."]
"SynTPEnh" = ""C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"" ["Synaptics, Inc."]
"High Definition Audio Property Page Shortcut" = "HDAudPropShortcut.exe" ["Windows ® Server 2003 DDK provider"]
"NvCplDaemon" = ""RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = ""nwiz.exe" /install" ["NVIDIA Corporation"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"NvMediaCenter" = ""RunDLL32.exe" NvMCTray.dll,NvTaskbarInit" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"nmapp" = ""C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash" ["Pure Networks, Inc."]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = ""C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC" [null data]
"PHIME2002ASync" = ""C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC" [MS]
"PHIME2002A" = ""C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName" [MS]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"LanguageShortcut" = ""C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"" [null data]
"Ad-watch" = ""C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"" ["Lavasoft Sweden"]
"Ad-aware" = ""C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c" ["Lavasoft Sweden"]
"AVG7_CC" = ""C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP" ["GRISOFT, s.r.o."]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray" ["Webroot Software, Inc."]
"winlogon" = "*y" (unwritable string) [file not found]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" [file not found]
"SCDEmuApp.exe" = ""C:\Program Files\PowerISO\SCDEmuApp.exe"" ["PowerISO Computing, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1F023FFF-B052-489C-A6B4-3D8DECBFCAD6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "BHO_BlockHTTP Class"
\InProcServer32\(Default) = "C:\Program Files\JiWire\JiWire SpotLock\BlockHTTP.dll" ["JiWire Inc."]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = (no title provided)
-> {HKLM...CLSID} = "bho2gr Class"
\InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 DragDrop Shell Extension"
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Property Sheet Shell Extension"
-> {HKLM...CLSID} = "WinAceProperty Sheet Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{2F25CF20-C569-11D1-B94C-00608CB45480}" = "TextPad"
-> {HKLM...CLSID} = "TextPad"
\InProcServer32\(Default) = "C:\Program Files\TextPad 4\System\shellext.dll" ["Helios Software Solutions"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{C55C499D-3518-44a1-998E-796AC5FC989D}" = "NetworkMagic"
-> {HKLM...CLSID} = "Network Magic Folders"
\InProcServer32\(Default) = "C:\Program Files\Pure Networks\Network Magic\nmspce.dll" ["Pure Networks, Inc."]
"{33F85093-44BB-4587-B25B-FFD05D5B9916}" = "NetworkMagic"
-> {HKLM...CLSID} = "Network Magic Folders"
\InProcServer32\(Default) = "C:\Program Files\Pure Networks\Network Magic\nmspce.dll" ["Pure Networks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"0aMCPClient" = "{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
-> {HKLM...CLSID} = "MCPShellInstantiator Class"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Stardock\MCPCore.dll" ["Stardock"]
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "load" = "C:\WINDOWS\system32\dtomsgofkx\winlogon.exe" [null data]
<<!>> "run" = "C:\WINDOWS\system32\dtomsgofkx\winlogon.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> MCPClient\DLLName = "C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll" ["Stardock"]
<<!>> WB\DLLName = "C:\Program Files\AlienGUIse\fastload.dll" ["Stardock"]
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
Shldsb\(Default) = "{91F8021B-ADB9-4548-A5FF-FB9F009FA5B6}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "Shldsb.dll" [null data]
TextPad\(Default) = "{2F25CF20-C569-11D1-B94C-00608CB45480}"
-> {HKLM...CLSID} = "TextPad"
\InProcServer32\(Default) = "C:\Program Files\TextPad 4\System\shellext.dll" ["Helios Software Solutions"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
Shldsb\(Default) = "{91F8021B-ADB9-4548-A5FF-FB9F009FA5B6}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "Shldsb.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"NoAdminPage" = (REG_SZ) 1
{unrecognized setting}

"DisableRegistryTools" = (REG_SZ) 1
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Krister Toews\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Krister Toews" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Krister Toews\Start Menu\Programs\Startup
"winlogon" -> shortcut to: "" [file not found]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 61 domain names to IP addresses,
61 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Pure Networks Network Magic Service, nmservice, ""C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe"" ["Pure Networks, Inc."]
SmartLinkService, SLService, "slserv.exe" [" "]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"" ["Webroot Software, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 170 seconds.
---------- (total run time: 234 seconds)


Hope this helps.


Thanks!

#18 taves

taves

    Member

  • Members
  • PipPip
  • 27 posts

Posted 10 January 2007 - 08:53 PM

Hi,


One thing I thought I should add is that I have a program called Objectdock plus by Stardock on my computer and I turned it off when I ran Silent Runners, I don't know if that would make any difference or not...just thought I should tell you.

Thanks.

#19 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 10 January 2007 - 09:25 PM

Hi,
One thing I thought I should add is that I have a program called Objectdock plus by Stardock on my computer and I turned it off when I ran Silent Runners, I don't know if that would make any difference or not...just thought I should tell you.

Thanks.


Hi,

Stardock programs are fine, WindowBlinds, Objectdock etc are ok and not an issue. The malware on your PC is quite a sophisticated one which is closing down HijackThis and regedit. I will add another post shortly, but in the meantime if you could try this program as well it would be of help.

Please download Hoster v3.6 from http://www.funkytoad...ent/view/13/31/

At the above web page click on Click Here to download Hoster to download. Unzip the folder and double click on the hoster.exe file to start the program. Click on the edit menu and select "Copy hosts to clipboard". Then paste the contents in a reply to this thread.

Many thanks

#20 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 10 January 2007 - 11:34 PM

1. Please download The Avenger by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in bold below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\dtomsgofkx



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

[*] Under "Script file to execute" choose "Input Script Manually".

[*]Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"

[*] Paste the text copied to clipboard into this window by pressing (Ctrl+V).

[*] Click Done

[*] Now click on the Green Light to begin execution of the script

[*] Answer *Yes* twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer.

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt

[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please post back with the contents of C:\avenger.txt

5. Please upload the file C:\avenger\backup.zip for analysis.

Then Please go here to upload the suspicious files for analysis.
http://www.uploadmalware.com/

* Enter your username from this forum as: taves
* Copy and paste the link to this thread: http://www.lavasofts...?showtopic=5868

o Click "Browse" on the 1. field.
Browse to the following files and click the file with your mouse, press "Open"

C:\avenger\backup.zip

* In the comments, please mention that I asked you to upload this file
* Click on Send File


Analysis of the contents of this zip file will help advise you of the next steps to take.

6. Next please set Ad-watch to manual mode, right mouse click on Ad-watch icon in the system tray and select "Ad-watch settings". Make sure the item for "Automatic" is off i.e. is a red cross. If Automatic is on just click to turn it off.


7. Please boot into safe mode,

See this Microsoft article URL for help on how to do this http://www.microsoft...e.mspx?mfr=true

8. Then please try to run the renamed HijackThis file again.

9. Please try re-running the myregfix.cmd created before and try to run regedit again. If Ad-watch is running it will alert you to those two registry changes; please accept these two changes.


10. Please reboot into normal mode, if Ad-watch alerts to those two registry changes detailed in the myregfix.cmd file please accept these two changes.

Please back with:

The hoster log as described in the previous post

The contents of avenger.txt

A copy of a scan with HijackThis if it ran OK in safemode.

An update if regedit will now run or not.

Many thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users